Merck Cyberattack’s $1.3 Billion Question: Was It an Act of War?
(Bloomberg Markets) -- By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down.
It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were greeted by an even more unsettling message when they turned on their PCs. A pink font glowed with a warning: “Ooops, your important files are encrypted. … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment …” The cost was $300 in Bitcoin per computer.
The ransom demand was a ruse. It was designed to make the software locking up many of Merck’s computers—eventually dubbed NotPetya—look like the handiwork of ordinary criminals. In fact, according to Western intelligence agencies, NotPetya was the creation of the GRU, Russia’s military intelligence agency—the same one that had hacked the Democratic National Committee the previous year.
“For two weeks, there was nothing being done. Merck is huge. It seemed crazy that something like this could happen”
NotPetya’s impact on Merck that day—June 27, 2017—and for weeks afterward was devastating. Dellapena, a temporary employee, couldn’t dig into her fact-checking work. Interns and temps bided their time at their desks before some of them were sent home a week later. Some employees gossiped, their screens dark. Others watched videos on their phones.
In all, the attack crippled more than 30,000 laptop and desktop computers at the global drugmaker, as well as 7,500 servers, according to a person familiar with the matter. Sales, manufacturing, and research units were all hit. One researcher told a colleague she’d lost 15 years of work. Near Dellapena’s suburban office, a manufacturing facility that supplies vaccines for the U.S. market had ground to a halt. “For two weeks, there was nothing being done,” Dellapena recalls. “Merck is huge. It seemed crazy that something like this could happen.”
As it turned out, NotPetya’s real targets were half a world away, in Ukraine, which has been in heightened conflict with Russia since 2014. In the former Soviet republic, the malware rocketed through government agencies, banks, power stations—even the Chernobyl radiation monitoring system. Merck was apparently collateral damage. NotPetya contaminated Merck via a server in its Ukraine office that was running an infected tax software application called M.E.Doc.
NotPetya spread. It hopped from computer to computer, from country to country. It hit FedEx, the shipping giant Maersk, the global confectioner Mondelēz International, the advertising firm WPP, and hundreds of other companies. All in all, the White House said in a statement afterward, it was the “most destructive and costly cyberattack in history.”
By the end of 2017, Merck estimated initially in regulatory filings that the malware did $870 million in damages. Among other things, NotPetya so crippled Merck’s production facilities that it couldn’t meet demand that year for Gardasil 9, the leading vaccine against the human papillomavirus, or HPV, which can cause cervical cancer. Merck had to borrow 1.8 million doses—the entire U.S. emergency supply—from the Pediatric National Stockpile. It took Merck 18 months to replenish the cache, valued at $240 million. (The Centers for Disease Control and Prevention say the stockpile’s ability to deliver medicine wasn’t affected.)
Merck did what any of us would do when facing a disaster: It turned to its insurers. After all, through its property policies, the company was covered—after a $150 million deductible—to the tune of $1.75 billion for catastrophic risks including the destruction of computer data, coding, and software. So it was stunned when most of its 30 insurers and reinsurers denied coverage under those policies. Why? Because Merck’s property policies specifically excluded another class of risk: an act of war.
Merck went to court, suing its insurers, including such industry titans as Allianz SE and American International Group Inc., for breach of contract, ultimately claiming $1.3 billion in losses.
In a world where a hacker can cause more damage than a gunship, the dispute playing out in a New Jersey courtroom will have far-reaching consequences for victims of cyberattacks and the insurance companies that will or will not protect them. Until recently, the big worry associated with cyberattacks was data loss. The NotPetya strike shows how a few hundred lines of malicious code can bring a company to its knees.